Getting rid of Zonebac.gen!F and cleaning up afterwards looks to be a little complicated after reading the other posts. Anybody want to help me walk through the process? Thanks.

Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. Please download FindAWF from this link: FindAWF Save the file to the Desktop Double-click the FindAWF icon. If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 1 then Enter to scan for bak folders The scan may take a while, please be patient. When done, a text file, Find AWF report is produced. Please provide Find AWF report in your reply.

Thank you for the help. Your instructions are very clear and easy to follow. Here is the Malware log: Malwarebytes' Anti-Malware 1.28 Database version: 1222 Windows 5.1.2600 Service Pack 2 9/30/2008 6:12:14 PM mbam-log-2008-09-30 (18-12-14).txt Scan type: Quick Scan Objects scanned: 54616 Time elapsed: 6 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 8 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Program Files\eSoftware\studio.dll (Adware.BHO) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\toolbar.tb (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{6c45bab3-2a03-44a0-b2de-d6850cdd29b0} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c3614386-3a1b-42c9-a1eb-845e109346a1} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d83a7b12-a4d4-4984-8f72-d41c6b4c1e6e} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d83a7b12-a4d4-4984-8f72-d41c6b4c1e6e} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.tb.1 (Adware.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt (Adware.NetOptimizer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt (Adware.NetOptimizer) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully. C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\eSoftware\studio.dll (Adware.BHO) -> Delete on reboot. C:\Program Files\WinBudget\bin\matrix.dll (Adware.AdMedia) -> Quarantined and deleted successfully. C:\Program Files\WinBudget\bin\tempzor (Adware.AdMedia) -> Quarantined and deleted successfully. C:\Documents and Settings\Eric\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Eric\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully. Here is the HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:18:42 PM, on 9/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://www.portlandfit.com O15 - Trusted Zone: http://www.stressthenrest.com O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re... O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSEC.exe (file missing) O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NeroSVC - ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de - C:\Program Files\ahead\Nero\NeroSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5200 bytes Here is the FindAWF log: Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Tue 09/30/2008 The current time is: 18:20:43.39 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ITUNES\BAK 10/21/2003 06:07 PM 229,376 iTunesHelper.exe 08/10/2008 08:49 PM 510 iTunesHelperAppLog.txt 2 File(s) 229,886 bytes Directory of C:\PROGRA~1\WIFD1F~1\BAK 11/03/2006 07:20 PM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/04/2004 01:56 AM 15,360 ctfmon.exe 05/03/2002 11:33 AM 155,648 NeroCheck.exe 2 File(s) 171,008 bytes Directory of C:\PROGRA~1\AHEAD\INCD\BAK 05/03/2002 11:33 AM 868,352 InCD.exe 1 File(s) 868,352 bytes Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK 09/11/2001 03:20 PM 69,632 Smtray.exe 1 File(s) 69,632 bytes Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK 06/28/2004 10:29 PM 32,768 PDVDServ.exe 1 File(s) 32,768 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK 02/16/2005 11:11 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\VERIZON\SERVIC~1\BAK 02/01/2006 07:33 PM 1,880,064 VerizonServicepoint.exe 1 File(s) 1,880,064 bytes Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\DISTILLR\BAK 01/12/2006 08:52 PM 483,328 Acrotray.exe 1 File(s) 483,328 bytes Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\HP\DFAWEP\BIN\BAK 12/23/2007 09:47 PM 618,496 hpbdfawep.exe 1 File(s) 618,496 bytes Directory of C:\PROGRA~1\HP\TOOLBO~1\BIN\BAK 06/15/2006 08:43 AM 49,152 HPTLBXFX.exe 1 File(s) 49,152 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 229376 Oct 21 2003 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 510 Aug 10 2008 "C:\Program Files\iTunes\bak\iTunesHelperAppLog.txt" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe" 155648 May 3 2002 "C:\WINDOWS\system32\bak\NeroCheck.exe" 868352 May 3 2002 "C:\Program Files\ahead\InCD\bak\InCD.exe" 69632 Sep 11 2001 "C:\Program Files\Analog Devices\SoundMAX\bak\Smtray.exe" 32768 Jun 28 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 442368 Apr 11 2003 "C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe" 1880064 Feb 1 2006 "C:\Program Files\Verizon\Servicepoint\bak\VerizonServicepoint.exe" 21644360 Nov 29 2006 "C:\Documents and Settings\Eric\Application Data\Verizon\VSP\downloads\Verizon-PC-Security-Checkup-1.5.5-Setup.41.exe.dir\Verizon-PC-Security-Checkup-1.5.5-Setup.exe" 483328 Apr 23 2008 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe" 483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe" 618496 Dec 23 2007 "C:\Program Files\HP\DfaWep\bin\bak\hpbdfawep.exe" 49152 Jun 15 2006 "C:\Program Files\HP\ToolBoxFX\bin\bak\HPTLBXFX.exe" end of report

Double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 2 then Enter to restore files from bak folders A text file opens called: files.txt Copy/paste the following list of bolded files to be restored: "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes\bak\iTunesHelperAppLog.txt" "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\Program Files\ahead\InCD\bak\InCD.exe" "C:\Program Files\Analog Devices\SoundMAX\bak\Smtray.exe" "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe" "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\Verizon\Servicepoint\bak\VerizonServicepoint.exe" "C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe" "C:\Program Files\HP\DfaWep\bin\bak\hpbdfawep.exe" "C:\Program Files\HP\ToolBoxFX\bin\bak\HPTLBXFX.exe" Next, close and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: -It attempts to terminate the process represented by each filename on the list, if running -Deletes the rogue file from the parent folder, if present -Copies the original file to the parent folder When done with the above, it automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply.

Here is the FindAWF log: Find AWF report by noahdfear ©2006 Version 1.40 Option 2 run successfully The current date is: Wed 10/01/2008 The current time is: 8:47:51.42 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ITUNES\BAK 10/21/2003 06:07 PM 229,376 iTunesHelper.exe 08/10/2008 08:49 PM 510 iTunesHelperAppLog.txt 2 File(s) 229,886 bytes Directory of C:\PROGRA~1\WIFD1F~1\BAK 11/03/2006 07:20 PM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/04/2004 01:56 AM 15,360 ctfmon.exe 05/03/2002 11:33 AM 155,648 NeroCheck.exe 2 File(s) 171,008 bytes Directory of C:\PROGRA~1\AHEAD\INCD\BAK 05/03/2002 11:33 AM 868,352 InCD.exe 1 File(s) 868,352 bytes Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK 09/11/2001 03:20 PM 69,632 Smtray.exe 1 File(s) 69,632 bytes Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK 06/28/2004 10:29 PM 32,768 PDVDServ.exe 1 File(s) 32,768 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK 02/16/2005 11:11 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\VERIZON\SERVIC~1\BAK 02/01/2006 07:33 PM 1,880,064 VerizonServicepoint.exe 1 File(s) 1,880,064 bytes Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\DISTILLR\BAK 01/12/2006 08:52 PM 483,328 Acrotray.exe 1 File(s) 483,328 bytes Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\HP\DFAWEP\BIN\BAK 12/23/2007 09:47 PM 618,496 hpbdfawep.exe 1 File(s) 618,496 bytes Directory of C:\PROGRA~1\HP\TOOLBO~1\BIN\BAK 06/15/2006 08:43 AM 49,152 HPTLBXFX.exe 1 File(s) 49,152 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 229376 Oct 21 2003 "C:\Program Files\iTunes\iTunesHelper.exe" 229376 Oct 21 2003 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 510 Aug 10 2008 "C:\Program Files\iTunes\iTunesHelperAppLog.txt" 510 Aug 10 2008 "C:\Program Files\iTunes\bak\iTunesHelperAppLog.txt" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe" 155648 May 3 2002 "C:\WINDOWS\system32\NeroCheck.exe" 155648 May 3 2002 "C:\WINDOWS\system32\bak\NeroCheck.exe" 868352 May 3 2002 "C:\Program Files\ahead\InCD\InCD.exe" 868352 May 3 2002 "C:\Program Files\ahead\InCD\bak\InCD.exe" 69632 Sep 11 2001 "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" 69632 Sep 11 2001 "C:\Program Files\Analog Devices\SoundMAX\bak\Smtray.exe" 32768 Jun 28 2004 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" 32768 Jun 28 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 1880064 Feb 1 2006 "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" 442368 Apr 11 2003 "C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe" 1880064 Feb 1 2006 "C:\Program Files\Verizon\Servicepoint\bak\VerizonServicepoint.exe" 21644360 Nov 29 2006 "C:\Documents and Settings\Eric\Application Data\Verizon\VSP\downloads\Verizon-PC-Security-Checkup-1.5.5-Setup.41.exe.dir\Verizon-PC-Security-Checkup-1.5.5-Setup.exe" 483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" 483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe" 618496 Dec 23 2007 "C:\Program Files\HP\DfaWep\bin\hpbdfawep.exe" 618496 Dec 23 2007 "C:\Program Files\HP\DfaWep\bin\bak\hpbdfawep.exe" 49152 Jun 15 2006 "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" 49152 Jun 15 2006 "C:\Program Files\HP\ToolBoxFX\bin\bak\HPTLBXFX.exe" end of report